本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。
範例庫與群組(IAM)原則
貢獻者
建議變更
PDF
以下是庫位原則和群組原則(IAM原則)的範例。
群組原則(IAM)
主目錄樣式庫存取
此群組原則僅允許使用者存取名為使用者使用者名稱之儲存區中的物件。
"Statement": [
{
"Sid": "AllowListBucketOfASpecificUserPrefix",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::home",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:username}/*"
}
}
},
{
"Sid": "AllowUserSpecificActionsOnlyInTheSpecificUserPrefix",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::home/?/?/${aws:username}/*"
}
]
}拒絕建立物件鎖定儲存區
此群組原則會限制使用者建立在貯體上啟用物件鎖定的貯體。
|
此原則並未在StorageGRID SUI中強制執行、只有S3 API才會強制執行。 |
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketVersioning"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::*"
}
]
}物件鎖定保留限制
此 Bucket 原則將物件鎖定保留期間限制為 10 天或更短
{
"Version":"2012-10-17",
"Id":"CustSetRetentionLimits",
"Statement": [
{
"Sid":"CustSetRetentionPeriod",
"Effect":"Deny",
"Principal":"*",
"Action": [
"s3:PutObjectRetention"
],
"Resource":"arn:aws:s3:::testlock-01/*",
"Condition": {
"NumericGreaterThan": {
"s3:object-lock-remaining-retention-days":"10"
}
}
}
]
}限制使用者以版本 ID 刪除物件
此群組原則會限制使用者依照版本 ID 刪除版本管理的物件
{
"Statement": [
{
"Action": [
"s3:DeleteObjectVersion"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
]
}此貯體原則會限制使用者(由使用者 ID 「 56622399308951294926 」識別)依版本 ID 刪除版本管理物件
{
"Statement": [
{
"Action": [
"s3:DeleteObjectVersion"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::verdeny/*",
"Principal": {
"AWS": [
"56622399308951294926"
]
}
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::verdeny/*",
"Principal": {
"AWS": [
"56622399308951294926"
]
}
}
]
}將儲存區限制為具有唯讀存取權的單一使用者
此原則可讓單一使用者擁有儲存區的唯讀存取權、並明確地讓Denys存取所有其他使用者。將「拒絕」陳述式分組在原則頂端、是加速評估的好做法。
{
"Statement": [
{
"Sid": "Deny non user1",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "urn:sgws:identity::34921514133002833665:user/user1"
},
"Action": [
"s3:*"
],
"Resource": [
"urn:sgws:s3:::bucket1",
"urn:sgws:s3:::bucket1/*"
]
},
{
"Sid": "Allow user1 read access to bucket bucket1",
"Effect": "Allow",
"Principal": {
"AWS": "urn:sgws:identity::34921514133002833665:user/user1"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"urn:sgws:s3:::bucket1",
"urn:sgws:s3:::bucket1/*"
]
}
]
}將群組限制為具有唯讀存取權的單一子目錄(首碼)
此原則可讓群組成員對儲存庫中的子目錄(前置)擁有唯讀存取權。貯體名稱為「 study 」、子目錄為「 study01 」。
{
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndstudyListingOfBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3::: study"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"study01/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfstudy01",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::study"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"study01/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInstudy01Folder",
"Effect": "Allow",
"Action": [
"s3:Getobject"
],
"Resource": [
"arn:aws:s3:::study/study01/*"
]
}
]
}